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Abstract 

> : 

^ , Error function analysis is an effective attack against chaotic cryptograph 

[PRE 66, 065202(R) (2002)]. The basin structure of the error function is 
crucial for determining the security of chaotic cryptosystems. In the present 
paper the basin behavior of the system used in [21] is analyzed in relation 
with the estimation of its practical security. A S-box algebraic operation is 
included in the chaotic cryptosystem, which considerably shrinks the basin 
of the error function and thus greatly enhances the practical security of the 
system with a little computational expense. 
PACS numbers: 05.45.Vx, 05.45.Ra 



I. INTRODUCTION 



In the last decade, secure communication based on chaos synchronization has attracted 
continual attention [1-9]. In early stage, scientists in this field did much effort in inventing 
methods to hide private message in chaotic signals and in presenting a variety of designs 
for chaos synchronization of encryption and decryption systems. Recently, the study has 
gone further into practical aspects. The standard evaluations popularly used in the conven- 
tional secure communication on some essential cryptographic properties, such as security, 
performance and robustness against channel noise and so on, have been applied to chaotic 
cyptosystems. With these evaluations some advantages and disadvantages of chaos-based 
cryptosystems have been explored [10-18]. In this paper, we will propose a new chaotic 
cryptosystem and focus on evaluating its security. 

Chaotic cryptograph is based on analytical floating point computation [18], and it has 
a property of aperiodicity, which is very much desirable for secure communication. Though 
any trajectory of autonomous chaos must be periodic in computer realizations with finite 
precision, the actual period of a system with a number of chaotic coupled oscillators (e.g., 
ten oscillators) may be so large that realistic communications can never reach this period, 
and thus aperiodicity is practically kept in most of spatiotemporally chaotic systems [19]. 
Moreover, chaotic systems have positive Lyapunov exponents leading to the sensitivity of 
trajectories to initial conditions and system parameters, and these features characterize very 
good properties of bit diffusion and confusion [17,20]. In particular, in spatiotemporal chaos 
with large numbers of positive Lyapunov exponents, these bit confusion and diffusion are 
conducted in multiple directions and high dimensions of variable spaces, and may thus be- 
come rather strong. This is of crucial importance for the high security of cryptosystems. 
However, chaotic cryptograph has some serious weakness in its security. First, since any 
chaotic output is based on floating-point analytical computation, the underlying dynamics, 
including its parameters of secret key, may be pursued (some times very easily [10-17]). 
Second, positive Lyapunov exponents determine certain finite bit confusion rate, this finite- 
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ness may not fast enough to confuse small parameter mismatches and may present certain 
basin structures around the secret key (see Fig.l in [21] and Fig.2 in [22]), which can be 
used by intruders for effective attacks. On the other hand, conventional cryptograph uses 
algebraic operations on integers, some methods such as S-box transformation can greatly 
increase the difficulty of attacks of analytical computations, and can effectively distort and 
even eliminate basin around the secret key. Nevertheless, a single or few S-box operations 
cannot make sufficiently strong bit diffusion and confusion, and many rounds of S-box or 
other algebraic operations are needed for reaching high security (e.g., for Advanced En- 
crytption Standard, AES, one needs 10, 12 and 14 rounds for 128bit, 192bits and 256bit 
keys, respectively). Therefore, it is interesting to combine approaches of both chaotic and 
conventional cryptographic methods, and to enhance the security of cryptosystems in some 
convenient ways. This has been done before by a number of authors[l 7,18,23]. In this paper, 
we will apply the idea of S-box in our chaotic cryptograph which mainly uses floating point 
analytical computation. 

In [21] we suggested to apply spatiotemporal chaos produced by a one-way coupled one- 
dimensional map lattice for achieving high practical security. In [22] a two-dimensional map 
lattice is used for obtaining efficient performance, i.e., fast encryption and decryption speeds, 
by applying parallel encryption (decryption) operations from different chaotic sites. In this 
paper we will go further from [21] by incorporating the S-box algebraic operation in the 
chaotic cryptograph and reach high security with low computation expense. The paper will 
be organized as follows. In Sec. II we specify our system and present some cryptographic 
results without S-box, which will be evaluated by the error function. And the basin structure 
and its influence on the practical security are analyzed in detail. In Sec. Ill, we include a 
S-box operation, and show that with the combinatorial applications of spatiotemporal chaos 
and S-box the key basin of the error function is effectively shrunk to a single point well in 
the computation precision. This leads to great enhancement of the security of the chaotic 
crytposystem. In the last section, brief discussion and conclusion of the practical security of 
the system against other attacks currently used in chaotic and conventional cryptanalyses 
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are presented. 

II. CHAOTIC CRYPTOSYSTEM AND ITS SECURITY EVALUATION 

We start from the cryptosystem of one-way coupled map lattice used in [21], with a 
slight modification by using the nonlinear parameters rather than coupling parameters as 
the secret key. The encryption transformation reads 



X n +lij) = (! - £ )fj[ x n(j)] + efj[x n (j - 1)], 



(la) 



fj{x) = (3.75 + a i /4)x(l-x), j = l,...,m 



Xn+l(j) = (1 - £)f[Xn(j)] + £ f[ X n(j ~ 1)], 



(lb) 



f(x)=4x(l-x), j = m+l,...,N 



S n = (K n + I n ) mod 2\ K n = [int(a: n (iV) x 2"] mod 2 



(lc) 



x n (0) = SJ2 



(Id) 



and the decryption transformation is 



Vn+iU) = (1 - e)fj[y n (j)] + - 1)], 



(2a) 



fj(x) = (3.75 + bj/4)x(l - x), j = 1, m 



Vn+iU) = (1 - e)/[j/nO')] + £ /k(j - 1)], j = m + 1, TV 



(2b) 



< = [int(y n (JV) x 2"] mod 2", £ = (S n - <) mod 2 



(2c) 



j/ n (0) = S n /2" = x n (0) 
4 



(2d) 



In Eqs.(l) and (2), a = (ai, 02, • • • , a m ) and b = (61, 6 2 , • • • , &m) serve as the secret keys of 
encryption and decryptoin, respectively, which can be freely chosen in the interval (0,1). 
The transmitter sends the ciphertext S n in the public channel, and the receiver can achieve 
chaos synchronization with the transmitter by applying the decryption key b = a and the 
ciphertext driving y n (0) = x n (0) = S n /2 U , and then correctly receive the plaintext as 

y n (N)=x n (N), K' n = K n , l' n = I n (3) 

We assume that the intruder has the same communication machine, and thus he knows 
the structure of Eqs.(l) and (2), and knows also the values of all the system parameters 
(N, m, /i, v, e) except the secret key a. Moreover, the intruder has full knowledge (past and 
present) of ciphertexts S n because S n is transmitted in the open channel, and a part of 
past plaintexts I n of length T (say, from n — 1 to n — T) due to some chances. With the 
above messages accessible to the intruder we have to consider resistance against the public- 
structure and plaintext-known attacks. There exist many attacks of this type, among which 
we will consider the error function attack (EFA) by computing the following error function 
[21] 

1 T I , I I' 

e(b) = ~Yl\i n -i n , *n = 7p 4 = ^7 (4) 

n=l 

from which the intruder may try to extract the secret key a and then unmask all future 
plaintext. Since EFA fully uses all information available for the legal receiver except the 
secret key only, it can be regarded as a very effective attack. 

Now we start our numerical simulation with the following parameters fixed throughout 
the paper 

m = 4, [1 = 52, v = 32, e = 0.99, a,- = 0.5, j = 1,2,3,4 (5) 

In Figs.l(a)-(d) we fix N = 25, T = 10 5 , and b 2 = b 3 = b 4 = 0.5, and run the cryptosystem 
by varying a single test key parameter b\, and plot e{b\) vs b\ for different test resolutions. 
The initial values of both transmitter and receiver are chosen arbitrarily, and they vary for 



different runs. In computing (4) 100 transient iterations are discarded. In Figs. 1(c) and (d) 
the error function e{b\) shows a clear basin around the actual key bi — a±, and in Figs. 1(a) 
and (b) far away from the basin we have e{b\) ~ |. 

Suppose two data sequences A n and B n are completely random, and uniformly distributed 
in [0, 1] , and they are completely uncorralated from each other, then the average error 
between two data sequences is 

1 T 

{e(A,B))= lim - £ \A n - B n \ (6) 

1 — >oo 1 — 

II 1 

1 

~ 3 

The square root of variance of this error for the sequences of length T reads 

^{ljl(\^-B n \-{e)A\-^= (7) 



T z — ' " * " \ 3V2T 

It is confirmed that the numerical results of e(bi) plotted in Fig.l satisfy both relations 
Eqs.(6) and (7) in very high precision when b\ is chosen far from the key basin. This 
indicates that the output keystream K n and K' n of Eqs.(l) and (2) have rather good sta- 
tistical properties of randomness and uniform distributions in (0, 1), and both K n and K' n 
are practically independent from each other if \b± — a±\ is considerably larger than the basin 
width. 

In [21], similar error function basin was observed (Fig.l in [21]). Now we will go further to 

study the functional behavior of this basin with numerical data, which will be important for 

predicting the security level of the system against EFA. We find that e(bi) can be presented 

by a united empirical formula 

Y i 1 + 5 — «i I 

= 3 1 + (^) ' a(bl) = I | I ' (8) 
ci = 2.8 x 10~ 12 , c 2 = 4.0 x 10~ 9 

which is plotted by the solid curves in Figs. 2 (a) and (b). The formula prediction of Eq.(8) 
perfectly coincides with the numerical results of e(bi) [circles, T = 10 3 for (a) and 10 7 for 
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(b)] for all ranges from \b\ — a±\ <C c 2 to \b\ — a\\ ^> c 2 . In both limits of large and small 
I bi — ai| the error function has interesting scalings of 

e(6i) oc |&i — ai| ai , ai — 1, |6i — ai| <C C2 (9a) 
1 5 

- - e(6i) oc |6i - aip" 2 , a 2 = -, |&i - a x \ > c 2 (9b) 

With the basin structure of Figs.l and 2, the intruder can make EFA as follows. Suppose 
the error function has a key basin of width W . Away from the key basin, the error function 
is flat e(bi) « | with certain fluctuation, the intruder cannot find any tendency toward the 
position of the key. Therefore, he can make only brute force attack to find the key basin 
with average cost of ^, where L is the space length available for setting the key (in our case 
L — 1). If the intruder finds the key basin, he can find the tendency in the basin towards 
the key, and can easily expose the key position by certain optimal searching methods, such 
as adaptive searching. Therefore, the width of the key basin W, is an extremely important 
quantity for the security of our system against EFA. This width can be conveniently defined 
from Eq.(8). According to Eq.(8) the error function e(&i) is monotonously decreasing towards 
the key. Nevertheless, as || — e(fei) | 1 (i.e., |6x — ai| 3> |) and T is finite, the inevitable 
fluctuation of e(bi) characterized by Eq.(7) may be considerably larger than | — e(6x), and 
thus can definitely mask the monotonous tendency of Eq.(8). According to this argument 
the basin width W may be defined as being proportional to the distance between the right 
and left boundaries b r and bi 



W = f3(b r -b l ) (10a) 

--e(bi r )^—^= (10b) 
3 V ' ; 3V2T 1 ; 

where the multiple factor j3 in Eq.(lOa) can be roughly chosen such that for \b\ — a±\ > W 
no any tendency towards the key location of e(b{) can be observed. Equations (10) and (9b), 
together, lead to 
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WocT^^T - 3 (11) 

For larger T we can certainly have larger width W and need less tests {^) for finding the 
key basin, but meantime we need more computation time for each test (T iterations for 
each test), and need more cost for collecting longer known plaintext data. Therefore, the 
total computation cost for finding the key basin in the space of four parameters (bi, b 2 , b 3 , 64) 
reads 

Cost ** < wm )4T (12) 

For numerical simulations we define 6/ and b r by the first left and right crossings of e(b\) 
over |, respectively, when b\ varies from b\ = a± to large |6i — a±\, and W is defined as 
W = 10(b r — bi) according to Eq.(lOa). In Figs.3(a)-(d) we plot e{b\) for different T's by 
keeping other parameters the same as Fig.l, where bi, b r and W are clearly indicated. The 
crossing points bi and b r may fluctuate in different runs, but this fluctuation does not affect 
the general tendency between W and T. In Fig. 3(e) we plot W against T where the solid 
line denotes the scaling line 

log W = — 10.53 + 0.30 log T, W = 2.95 x io~ n T a30 (13) 

while dots respect numerical data. These numerical results fully confirm the prediction of 
Eq.(ll) which is deduced from the empirical formula Eq.(8) and the scaling relation Eq.(9b). 
Inserting Eq.(13) into Eq.(12) we can specify the cost to break the security of the system. 
The minimal computation cost for breaking our system by EFA can be achieved at T 10 36 
and W(T) ss 1 that produces 

Cost ~ 10 36 Iterations (14) 



III. CHAOTIC CRYPTOGRAPH WITH A S-BOX OPERATION 



Though the security given by Eq.(14) is rather high (equivalent to the effective key 
of 120 bits), the basin of Eq.(8) restricts the security level. This basin structure is due 
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to the insensitivity of chaos synchronization to very small mismatch of the corresponding 
parameters in analytical computation of chaos. 

With smaller system size N, the output keystream K' n has even lower sensitivity to the 
variable of b (i.e., has larger basin width W), and accordingly the system has even lower 
security. In order to shrink the basin width and further increase the sensitivity of K' n to 
small change of the key b with a given smaller system size (i.e., with less computational 
expenses), one has to perform some additional (nonanalytical) operation to directly shift 
the bits corresponding to small key variation to the position corresponding to larger key 
variation. Specifically, we modify Eqs.(l) and (2) as following. 

First, we change (Id) and (2d) to 



x n (0) 



S n /2", for l^S n /2"^l 

S n /2" + f , for S n /2" < \ (15) 
SJ2" - |, for S n /2» > | 



y n (0) = x n (0) 

respectively. These changes effectively increase the sensitivity of the keystreams K n and K' n 
to the secret key a and b, respectively, for small (large) and even zero S n (or S n /2 U = 1). 
In Eq.(2) such sensitivity is very low for < S n /2 U < 1 and < 1 - S n /2 V < 1 , and this 
weakness can be intelligently used by the intruder with the chosen-ciphertext attack [24]. 
Second, we add a S-box in the (m + l)th map in both transmitter and receiver, namely, we 
modify the (m + l)th map of Eq.(l) as 

x' n+1 (m + 1) = (1 - e)f[x n (m + 1)] + ef[x n (m)}, 

Q' n = [int«(m + 1) x 2**] mod 2 V (16a) 
Q n = Sbox(Q' n ) 



x n+ i{m + 1) = Q n /2 U 



(16b) 



where the S-box is defined as follows: 

M = [(Q'n > 24)&255], A 2 = [{Q' n > 16)&255], 

= [(Q'n > 8)&255], A A = Q>255, (17) 
A = Ax © A 2 © A 3 © A 4 
Q n = [A < 24] + [A 4 < 16] + [A 3 < 8] + A 2 

In Fig. 4 we show the operations of Eq.(17) schematically. The operation x ^> y denotes a 
right shift of x by y bits and the & operator is bitwise AND and © means bitwise XOR [25]. 
After the S-box transformation of (17) all the 32 bits in Q' n take place in the highest bits 
in Q n through Aq. And this operation greatly enhances the sensitivity of the output S n to 
the mismatches of the secret key (these mismatches are naturally reflected in the low bits 
of Q' n ). The decryption transformation (2) has exactly the same S-box operation as 

y' n+1 (m + 1) = (1 - e)f[y n (m + 1)] + ef[y n (m)}, (18a) 
Q' n = [intern + 1) x 2"] mod 2 V 
Q n = Sbox(Q' n ) 

y n+1 (m + l)=Q n /2 v (18b) 

The modified chaotic cryptosystem basically performs analytical floating-point computa- 
tions on continuous variables. However, its performance is incorporating with a very simple 
conventional operation based on algebraic transformations supported by integer variables. 
The following operations in the whole arithmetic of the system Eqs.(l), (2) and (15)-(18) 
are of crucial importance for achieving optimal cryptographic properties: 

(i) The transmitted signal S n is defined as integer sequences by the int operation in 
Eqs.(ld), (2d), and this operation effectively enhances the robustness of the communication 
against noise disturbances in the transmission channel, and against the round-off errors of 
both transmitter and receiver computers. This improvement is extremely important when 
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the system has very high security (i.e., very high sensitivity to small changes of system 
parameters, variables and driving signal). 

(ii) We apply modulo operations on some integer variables [Eqs.(lc), (2c), (16), and (18)]. 
These operations greatly enhance the sensitivity of chaos synchronization to the secret key 
parameters (a and b), and considerably increase the difficulty of any attacks based on 
analytical computations. 

(iii) The S-box operations of Eqs.(16)-(18) dramatically change the basin structure of 
Figs.l and 2, and effectively improve the security of the chaotic cryptograph. Particular 
attention will be paid on this point in the following discussion. 

In Figs.5(a)-(d) we do the same as Figs.l(a)-(d), respectively, with modifications (15)- 
(18) taken into account. It is remarkable that with the S-box operation, the continuous 
basin in Figs.l and 2 shrinks now to a singular needle-like structure with zero width. In 
Fig. 5 various refinements of detection precision up to 2~ 45 precision do not help to amplify 
the basin width, this is in sharp contrast with Figs.l where finer detection precision can 
show larger and clearer basins [Fig. 1(d)]. 

Another significant point is that the singular needle-like basin structure cannot be 
changed by collecting and applying more known past plaintexts, i.e., by increasing T. In 
Figs.6(a)-(d) we do the same as Figs.3(a)-(d), respectively, with Eqs.(15)-(18) applied. It 
is clear that W = 2 -45 is kept for different T's of which the largest one is up to T = 10 8 
(3.2 x 10 9 bits plaintext). For collecting so many data of plaintext one has to illegally hear 
a given secure talk for about five days without any break (in normal voice communication, 
the transmission speed is about 8k bits per second). Thus, the practical security of our 
modified chaotic cryptosystem against EFA is determined by the key number 2 180 (four key 
parameters, each 45 bits) with the system size N = 10, which is much higher than that 
without the S-box operation [2 120 given by Eq.(14)] with considerably larger size iV = 25. 

It is emphasized that the S-box of Eq.(17) is very simple and needs little computation 
cost. This operation can thus hardly produce effective bit confusion and diffusion by itself 
in the conventional cryptograph. Nevertheless, incorporating with spatiotemporal chaos 
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synchronization this algebraic transformation can greatly enhance the practical security 
of chaotic cryptograph. This is the most significant result of the present paper that a 
suitable combinatorial applications of both chaotic and conventional cryptographies may 
yield surprisingly high benefit. 

IV. CONCLUSION AND DISCUSSION 

In conclusion we would like to remark that the modified chaotic system [Eqs.(l) and 
(2) with modifications of (15)-(18)] is highly secure against EFA, which is a very strong 
attack because with this attack the intruder effectively uses all information accessible to the 
legal receiver, except the secret key only. We assume that the security against EFA may 
be probably the actual practical security of the system. Nevertheless, in this conclusion 
part we would like to briefly mention the difficulties and the results (without giving much 
reasonings) of some other possible attacks in evaluating our system. The detailed analysis 
on all these attacks is in preparation and will be presented elsewhere [27]. 

First, the keystream K n and, accordingly, the transmitted signal S n have very good 
statistical properties. They satisfactorily pass the randomness checking of all the 16 types 
of NIST Standard evaluations of [26] for arbitrary plaintexts. The keystream (K n /2 U ) has 
uniform distributions in the interval (0,1) up to g-order (g's from 1 to 4 have been carefully 
checked, and even higher orders up to q = 10 have been roughly checked). These uniform 
distributions remain unchanged by widely changing the secret key and the plaintexts. The 
probability distribution of differences between any ciphertexts is practically independent of 
the difference of the corresponding plaintexts. Thus, many attacks in conventional cryp- 
toalaysis such as linear attack and differential attack can hardly work for our system. And 
all attacks based on statistics analysis may not work effectively. 

Second, most of attacks used in chaotic cryptography, such as nonlinear dynamics fore- 
casting and dynamics reconstructs [10-16] are definitely not efficient for evaluating our sys- 
tem, because these approaches apply ciphertext-only and private-structure attacks. With- 
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out enjoying the information of system dynamics and known plaintext these attacks are 
incomparably weaker. These attacks often reconstructs the system dynamics by construct- 
ing time-delay return maps. Due to the good statistical properties mentioned above these 
return maps all have uniform distributions from which one can hardly find any trace of the 
system dynamics as well as the secret key. 

Usually chaotic cryptograph may be easily attacked by analytical computations in the 
case of one-round encryption. However, in our case nonlinearity together with multiplicity 
of coupled maps makes analytical attacks difficult. The truncations and S-box operations 
break simple analytical relations between the key and the output signals. A simple analysis 
shows that attacks based on analytical solution need much more computational cost than 
EFA for breaking the security of the system. 

Recently, Hu et al proposed a chosen-ciphertext attack to evaluate chaotic cryptosys- 
tems[24], which is very strong. It can be shown that this chosen-ciphertext attack can break 
the security of Eqs.(l) and (2) without S-box operation with much less cost than Eq.(14), 
i.e., this attack is much stronger than EFA. However, with the S-box operation and the 
associated modifications((15)-(18)), the chosen-ciphertext attack can be made completely 
ineffective by including the bits of the secret key (a for encryption and b for decryption). 
An analysis similar to [24] shows that the computation cost of the chosen-ciphertext attack 
of [24] is again much more expensive than EFA. This matter will be discussed in detail in 
our future work. It is well known that chosen-ciphertext attacks are among the strongest 
attacks if we classify the intensities of various evaluations [18, 24]. Thus, it is reasonable to 
estimate the practical security of our system by Eq.(4) and Fig. 5. 

With respect to the problem of security, our system has a good advantage over AES. 
Our system is practically one-time pad cryptograph if its secret key can be well hidden 
and the encryption time is much shorter than the period of computer realization of chaos. 
On the contrary, AES is definitely not one-time pad even if its key is kept secret because 
for AES same inputs always produce same outputs. Our system has fairly fast encryption 
speed. With the C code running a Pentium III (700MHz) computer it can encrypt 50Mbit 
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ciphers (with the key length of 180 bits) which is comparable to that of AES having a speed 
of 83Mbit per second with a key of 192 bits by using the same computer. The encryption 
speed of our system can be further greatly enhanced by parallel encryption operations of 
multiple space units [22]. 

Finally, we would like to emphasize that our system will not suffer from the periodicity 
of finite precision computer realization of chaos. By increasing the number of coupled maps 
those period increases rapidly. We certainly cannot directly detect the period of our system 
because it is too long. An estimation, based on small number of coupled maps shows that 
the period of our system with N = 10 and double precision computation is about 10 70 [19]. 
The currently best computer in the world needs to work more than 10 45 years to reach this 
period, and thus spatiotemporal chaos can be surely observed in our system for practically 
unlimited uses. 
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Captions of Figures 

Fig.l. Error function e(bi) denned in Eq.(4) vs the decryption key parameter b\ with 
different detection resolutions. T = 10 5 . The basins of the error function around the key 
position b\ = a\ can be clearly observed in (c) and (d). 

Fig. 2 (a) and (b) Comparison of the prediction of Eq.(8) (solid lines) with numerical 
measurements (circles) of the error function Eq.(4) for T = 10 3 [(a)] and T = 10 7 [(b)], 
respectively. Agreements of the analytical predictions with numerical results are satisfac- 
tory. The agreement shown in (b) is particularly desirable since there fluctuation of e(bi) is 
considerably reduced by taking rather long T = 10 7 (3.2 x 10 8 bits plaintext). 

Fig. 3 Widths of the basins of error function e{b\) for different available lengths of plain- 
texts (a) T = 10 3 , (b) T = 10 4 , (c) T = 10 6 , (d) T = 10 7 , respectively. The boundaries 6, and 
b r are defined by the first crossings of e(bi) over e(bi) = | when b\ varies from b\ — a\ — 0.5 
to left and right, respectively. And the basin width W is taken as W = 10(b r — b{). (e) 
W = 10(6 r —bi) plotted vs T. The solid line is the prediction of Eq.(ll) while the circles 
represent numerical data. Both coincide with each other satisfactorily. 

Fig. 4 The schematic figure of the S-box operation of Eq.(17). (a) Four bytes A 1: A 2 , 
A 3 and A 4 divided from Q' n of 32 bits, and A produced from Ai via XOR operations, (b) 
Produce Q n of 32 bits from the four bytes A , A±, A 3 , and A 2 . 

Fig. 5 The same as Fig.l with the modifications (15)-(18) taken into account. T = 10 5 . 
The error function basin shrinks now to a needle-like single point, irregarding the detection 
resolution, this is in sharp contrast with the behavior of Fig.l. In (d) the resolution is up 
to 2~ 45 , indicating that the key number of the four parameters b\ to 64 can be up to 2 180 . 

Fig. 6 The same as Figs.3(a)-(d), respectively, with Eqs.(15)-(18) applied. Increasing 
T can effectively reduce the fluctuation of e(&i), but cannot change the needle- like basin 
structure. 
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